Showing posts from April, 2021

Bluetooth → Wi-Fi Code Execution & Wi-Fi Debugging

 If you ever looked into one of Broadcom's combo chip datasheets, you might have noticed a feature called "WLAN RAM Sharing". In the following, I will explain how to use it to get controlled code execution on Wi-Fi via Bluetooth, which can be helpful in a couple of scenarios: Hack around in Wi-Fi firmware during runtime without disabling SELinux on Android ( Nexmon requires kernel patching with disabled SELinux). Indirect Wi-Fi firmware hacking support on platforms that are not supported by Nexmon (iOS, macOS, etc.). Reaching states in the Wi-Fi driver one could not reach over-the-air (💥💥💥). WLAN RAM Sharing?! Francesco and me looked into so-called coexistence features. If you want more details on this, watch our DEF CON or Black Hat talk from last year :) In short, despite running on different ARM cores, Broadcom and Cypress BT/Wi-Fi have coexistence features, which include a unidirectional RAM sharing feature. This feature is shown in some leaked datasheets in the